#Exposing path.join to renderer in the proper "best-practice" secure way

41 messages · Page 1 of 1 (latest)

spark spade
#

I am trying to convert a web app to electron and still learning about the methods of communicating between main and renderer, etc.

I had a partially working example, with nodeIntegration, but now I am trying to convert it to work with default settings: nodeIntegration:false, contextIsolation:true, sandbox:true, etc. and running into issues.

I have a preload.js script setup to expose some extra interface like so:

const path = require('path')

// All api used from node:
const node = { 
  path: { join: path.join } 
}

contextBridge.exposeInMainWorld('node', node);

There will be other node APIs I plan to expose later but I'm keeping the example simple for now.

This does not work, I guess because path module is not available from a sandboxed preload, as that gives me module not found: "path"
As a quick test I tried temporarily setting sandbox:false, but this results in electron opening to a white screen with no error in the terminal, and no way to open the dev console to check for errors there.

I am still very confused about the intended way to pass control from main to preload to renderer or whatever is supposed to happen. With default security settings, is require basically only usable from main javascript code (not within preload.js)? I thought the whole point of preload is that it has access to all the APIs so that they can be exposed to renderer.

Could someone help by providing a minimum example of how I should ideally expose path.join ?

supple plinth
#

https://www.electronjs.org/docs/latest/tutorial/sandbox

Process Sandboxing | Electron

One key security feature in Chromium is that processes can be executed within a sandbox. The sandbox limits the harm that malicious code can cause by limiting access to most system resources — sandboxed processes can only freely use CPU cycles and memory. In order to perform operations requiring additional privilege, sandboxed processes use dedi...

#

If you trying to expose every nodejs api you need there is no point to have contextIsolation enabled

#

Using path.join without fs module also questionable

#

point of contextBridge and contextIsolation not to expose nodejs api from it but able to call a function that able to work with nodejs

#

In this scenario renderer(browser) code keep mosly as in real browser

#

Without knowing that it have something other then web api

spark spade
#

OK, I thought about the code some more and I don't necessarily need to expose path.join to the renderer.

The code I'm currently struggling with is a logging.js module which I wrote myself. That code needs access to fs and path.join etc. If I try to require it from my preload.js it tells me file not found. If I try to instead import it in preload.js, it says require is not defined, because logging.js does require("path") etc. at the top.

#

I still have absolutely no idea how user-written code is supposed to be included for the main process.

supple plinth
#

with require

spark spade
#

require from preload.js, or from main.js

supple plinth
#

both

#

depends on where you need it

spark spade
#

why can't preload.js find my module when I require it though

supple plinth
#

have you read 1st link i gave you?

spark spade
#

i've read all those pages dozens of times and they are not helping

supple plinth
#

what you dont understand?

spark spade
#

none of the example code deals with including user modules. it only shows examples of node modules from what I've seen

supple plinth
#

are you sure you have read 1st link?

spark spade
#

process sandboxing, yes. what part of that is supposed to be helpful? are you suggesting to disable sandboxing?

supple plinth
spark spade
#

so preload is incapable of requiring any user modules (being CJS)

supple plinth
#

=/

spark spade
#

so i need to learn to setup webpack?

supple plinth
#

reread page again

spark spade
#

could you explain in your own words what you are getting at because reading this page a dozen times is still not helping me understand?

#

I barely just learned how modules work, so maybe that's part of my confusion, but if my code is setting module.export , that's defining a CJS module, right. So the line:
"Because the require function is a polyfill with limited functionality, you will not be able to use CommonJS modules to separate your preload script into multiple files. If you need to split your preload code, use a bundler such as webpack or Parcel."

Sounds to me that I am forced to use webpack or Parcel.

supple plinth
#

if your process is sandboxed

#

you can enable it or disable it

spark spade
#

right. so what does it mean when you get a white blank window after disabling sandbox (from my original post)?

supple plinth
#

i dont know

spark spade
#

god this framework is miserable

supple plinth
#

most likely you do something that crash renderer process

#

by disableing sandboxed you load your code that crash renderer

spark spade
#

do you use webpack?

supple plinth
#

no

#

at least not for electron

#

if you have problems with understanding start from electron-fiddle

#

if you want to use electron you also need nodejs and web knowledge